O'Malley wrote: > > At our site we have principals (user accounts) in a Windows 2000 AD domain, > lets call this realm WIN.AD. I have configured Kerberos on my workstation > and can get my krbtgt from the AD using my account--so far so good. > > I have created a second realm for my servers, lets call this realm > NOT.WIN.AD, where I have created "host", "telnet", and account principals. > I can kinit and ktelnet between systems in the realm using the NOT.WIN.AD > account principal ([EMAIL PROTECTED]). > > I would like to use the WIN.AD accounts to access the NOT.WIN.AD resources. > Can I use mappings in the krb5.conf [capaths] section to accomplish this?
Yes, we do that all the time. But you wil need to setup the cross realm keys, See: http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp Section: "Setting Trust with a Kerberos Realm" > > I have already tried the following without success: The capaths would not be needed in you case, as the default path from NOT.WIN.AD is up to WIN.AD. But if the real realm names are not directly related, they you would need the capaths. > > [capaths] > NOT.WIN.AD = { > WIN.AD = . > } > WIN.AD = { > WIN.AD = . > } > > thanks, > ...Mike > > ________________________________________________ > Kerberos mailing list [EMAIL PROTECTED] > https://mailman.mit.edu/mailman/listinfo/kerberos -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
